Exchange 2010 CAS with Multiple Certificates

Posted on 2011-05-04
Medium Priority
Last Modified: 2012-05-11
My company is in the process of upgrading from Exchange 2007 to Exchange 2010 and our public DNS / AD namespace situation is somewhat unique. Our public namespace is company.com, but our internal AD namespace is company.int. Thus we appear to have the need for multiple certificates on our CAS server with external clients connecting to one web site using one certificate and internal clients connecting to another web site using another certificate. Due to the .int public domain suffix being reserved for international organizations formed via treaties we're unable to get an SSL certificate with SAN's that cover both our internal and external namespace.

Tried following the MSFT guide posted here, but once completed the Exchange Management Console breaks, we start to see inconsistent behavior with the routing of IP traffic from the 2nd IP address (Windows appears to intermittently send traffic onto the wire with the wrong source address,) and we have problems getting the 2nd address (external site) to not register in DNS. The last problem results in some clients connecting to the wrong site and getting certificate errors.

As a temporary work around we have issued a SSL certificate from our own AD certificate authority with SAN's that cover all of the names. This is working for functionality testing, but once we start to move large numbers of users over with non-domain joined mobile devices and PC's this fix will be a no-go.

Is there an easier, less complex solution to handle this situation?

Question by:dance1bb
  • 3
  • 2
LVL 33

Expert Comment

ID: 35689721
why don't you use a single certificate that uses UCC and SAN, that will be a lot more easier

Author Comment

ID: 35689809
Busbar - We are unable to get a certificate from a public certificate authority for our internal namespace due to it ending in .INT.

My understanding is that this prevents us from getting our internal namespace and external namespace on the same certificate when using a public certificate authority.
LVL 33

Expert Comment

ID: 35689854
nothing wrong in that, it is ok to have internal and public names in the UCC certificate
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.


Author Comment

ID: 35690114
We do not own the public domain name mycompany.int (and can't get it due the restrictions surrounding the INT TLD.)

We do own the public domain name mycompany.com

Everything I could find (admittedly it wasn't a whole lot) pointed to certificate authorities not issuing certs for domains you don't own.

Thank you for the timely help and sorry for any confusion  :)

Accepted Solution

kdgoodknecht earned 2000 total points
ID: 35690343
The easiest way is to Configure Your Internal DNS to allow you to use the same Public Names internally, so if your Exchange server's public name is mail.company.com,  create a new forward lookup zone in your internal DNS named "mail.company.com" (Without quotes), then create an A record in the zone, leave the name field blank, and give it the Exchange Server's internal IP.
Then obtain a Set-AllVDirs.ps1 Script to set the CAS to use the Public Name internally. This is a lot less confusing when supporting mobil computers, phones and Devices such as iPads.

For the Script: http://www.polbootcamp.com/2009/01/script-to-configure-autodiscover-and.html

I have also found the using an SRV record for the Autodiscovery service is the most reliable, but it require Outlook 2007 with a hotfix most public DNS host providers have added SRV support.

Author Comment

ID: 35690562
kdgoodknecht - Our firewall will 'fudge' the DNS requests for us so that any DNS request for the external name made from behind the firewall will simply return the internal address of the server. That should negate the need for the additional DNS records.

Thank you for the Set-AllVDirs.ps1 script, I'll give it a go this evening after production winds down.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question